Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Malformed WMV/WMA Files Can Freeze File-Type Detector
CVE-2026-31808
GHSA-5v7r-6r5c-r473
Summary
A security issue exists in the file-type library that can cause a denial of service when detecting certain types of untrusted files. This affects any application that uses file-type to identify file types, potentially freezing the application. To fix, update to the latest version of file-type or implement input validation and timeouts to prevent this issue.
What to do
- Update file-type to version 21.3.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | file-type | > 13.0.0 , <= 21.3.1 | 21.3.1 |
Original title
file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header
Original description
### Impact
A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a `size` field of zero, the parser enters an infinite loop. The `payload` value becomes negative (-24), causing `tokenizer.ignore(payload)` to move the read position backwards, so the same sub-header is read repeatedly forever.
Any application that uses `file-type` to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.
### Patches
Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.
### Workarounds
Validate or limit the size of input buffers before passing them to `file-type`, or run file type detection in a worker thread with a timeout.
### References
- Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f
### Reporter
[email protected]
A denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a `size` field of zero, the parser enters an infinite loop. The `payload` value becomes negative (-24), causing `tokenizer.ignore(payload)` to move the read position backwards, so the same sub-header is read repeatedly forever.
Any application that uses `file-type` to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload.
### Patches
Fixed in version 21.3.1. Users should upgrade to >= 21.3.1.
### Workarounds
Validate or limit the size of input buffers before passing them to `file-type`, or run file type detection in a worker thread with a timeout.
### References
- Fix commit: 319abf871b50ba2fa221b4a7050059f1ae096f4f
### Reporter
[email protected]
nvd CVSS3.1
5.3
Vulnerability type
CWE-835
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026